Prepared statements by 1.0

psiiota

I think we should try to implement prepared statements to replace any mysqli queries before the 1.0 release. I dont see any current issues, just my spidey senses are just going off, and anyone auditing will like to see that.

wrongecho

I'm not against prepared statements as they're great for security, but to essentially rewrite all database logic in the next 2 months without introducing bugs or losing existing functionality seems like a huge task.

I remember that they're also a pain when you try to insert variables into "sort by" / "order by".

psiiota

@johnny If we do not do PDO here: Add Client-Replied and update select2 statuses in ticket sort dropdown by o-psi · Pull Request #806 · itflow-org/itflow (github.com)

then Sonar Cloud reports a false positive Sec Vulnerability.

That is the only reason I went down the prepared statements path.

johnny

I understand why you did it, it is okay to add it back and ignore as we are sanitizing before going into the DB.

wrongecho

SonarCloud is very rarely wrong. Over sanitizing input can very rarely hurt. I'd rather have some broken characters than SQL Injection.